How do I deal with an individual’s request for their personal information?
You need to promptly respond to the request and provide people with access to the personal information you hold about them, subject to a very limited number of exceptions.
There are some steps you’ll need to work through if you receive a request for personal information, even if the requester doesn’t mention the Privacy Act.
- Work out whether you hold the personal information that the person has asked for. If you don’t, but you know another organisation holds the information, you should consider whether it would be appropriate to transfer the request(external link) to that organisation. Otherwise, you will need to refuse the request. You should also verify the identity of the requester to ensure they are the subject of the personal information being requested or an authorised representative.
- Once you’ve established that you hold the information, the next thing to decide is whether you’re the right organisation to release it. If you know the information is also held by another organisation(external link), and you think it would be more appropriate for that organisation to decide whether to provide the information, then you should transfer the request to them. If you transfer the request, you need to do so promptly (within 10 days of receiving it). However, you shouldn’t transfer a request if you know the person wouldn’t want you to.
- If you hold the information, and haven’t transferred the request to another agency, then you’ll need to decide on the request. Generally, this must be done within 20 working days. However, the timeframe could be shorter if the individual has grounds to ask for the information urgently(external link), or longer if you have grounds to seek an extension. If you extend the timeframe for responding, you must inform the individual of the extension within the 20 working days and let them know they can complain to OPC about the extension. Equally, if the request is straightforward and doesn’t require your organisation to gather much information, then it should be addressed quickly.
- When you do provide a decision, it must say whether you agree to release all of the information requested, some of the information, or none of the information.
If you are withholding any or all of the personal information requested, you need to let the individual know which withholding grounds(external link) you are relying on to withhold the information. You will also need to let the individual know that they have a right to have your decision reviewed (by making a complaint to us about your response(external link)).
If you agree to provide any or all of the personal information requested, you need to let the individual know that they have a right to request correction of the personal information you hold. If you intend to charge the individual(external link) for their information (if you’re a private sector organisation), the charge needs to be reasonable, you need to let the requester know how much the charge will be(external link), and the charge can be reviewed by the Privacy Commissioner if the requester complains about the charge.
- It’s also important to know that you don’t necessarily have to provide the personal information at the same time you provide the individual with your decision (although this will often be the case). However, if you’ve agreed to provide personal information, but haven’t included the information with your decision, you need to make sure that you do provide it without undue delay – in other words, as soon as you can.
Additional obligations
- Instead of refusing a request for personal information, you could consider imposing conditions. For example, you might want to restrict how the requestor can use the information. However, you need to be able to explain why any limit or condition is necessary.
- You must make the information available in a way preferred by the requestor, unless the exceptions in s56(2) of the Privacy Act apply.
- You need to consider your organisation’s responsibilities in s57 of the Privacy Act to verify the request before giving access to the information.
Updated September 2024